Try out to call
ctx.IsUserInRole( "Common" )
in the setX method, with ctx being the session context of the bean. if it is true, you can throw a SecurityException.
I have the roles already defined in ejb-jar.xml for each method. If I put the method sessioncontext.IsCallerInRole for deleteX, the previous role definition in ejb-jar is useless...
Isn't there a way to call again JaasSecurityManager.doesUserHaveRole() in the beginning of each method of my session bean?
and why isn't JaasSecurityManager authenticating the method (deleteX) inside another method (setX)?
What is the 'trigger' to call JaasSecurityManager?
Well, a workaround to this is to make an instance of the session bean inside of itself and use this to call the methods...
Don't you need to go via an interface (local/remote) on the SessionBean to trigger the security manager. Just calling this.deleteX() won't allow the container to intercept the method call to do the security checking...